The NYDFS cybersecurity regulation, amended in 2023 with phased compliance deadlines through November 2025.
Covered Entities — banks, insurers, mortgage lenders, and other financial institutions licensed in New York.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
CISO with direct board reporting (or equivalent governance).
Annual independent audit (Class A companies); penetration testing and vulnerability scanning.
Multi-factor authentication for all privileged access and externally facing applications.
72-hour incident reporting to NYDFS for cybersecurity events.
Asset inventory with risk classification.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
MFA enforcement and exception reporting bound to Part 500.7.
72-hour reporting timer attached to every incident with NYDFS portal export.
Asset inventory with risk classification per 500.13.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Certification of Compliance (Section 500.17(b)) — pre-populated.
CISO Annual Report to the board.
Penetration test reports retained per regulation.
These frameworks share substantial control overlap with NYDFS 500. Customers running one assessment typically satisfy the others with the same evidence base.
North America
The Trust Services Criteria attestation that has become the de-facto B2B SaaS security baseline globally.
Global (Payments)
The global payment-card data security standard, now in v4.0 with future-dated requirements becoming mandatory in March 2025.
North America
The FFIEC's interagency examination framework for cybersecurity in US financial institutions.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.